Esc

External Remote Services - T1133

(ATT&CK® Technique)

Definition

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1133["External Remote Services"] --> |produces| NetworkSession["Network Session"]; class T1133 OffensiveTechniqueNode;
        class NetworkSession ArtifactNode; click NetworkSession href "/dao/artifact/d3f:NetworkSession";
        click T1133 href "/offensive-technique/attack/T1133/"; click NetworkSession href "/dao/artifact/d3f:NetworkSession"; T1133["External Remote Services"] --> |produces| Authentication["Authentication"]; class T1133 OffensiveTechniqueNode;
        class Authentication ArtifactNode; click Authentication href "/dao/artifact/d3f:Authentication";
        click T1133 href "/offensive-technique/attack/T1133/"; click Authentication href "/dao/artifact/d3f:Authentication"; T1133["External Remote Services"] --> |produces| Authorization["Authorization"]; class T1133 OffensiveTechniqueNode;
        class Authorization ArtifactNode; click Authorization href "/dao/artifact/d3f:Authorization";
        click T1133 href "/offensive-technique/attack/T1133/"; click Authorization href "/dao/artifact/d3f:Authorization";                                       SessionDurationAnalysis["Session Duration Analysis"] -->
          | analyzes | Authentication["Authentication"];

          SessionDurationAnalysis["Session Duration Analysis"] -.->
            | May Detect | T1133["External Remote Services"] ;
          class SessionDurationAnalysis DefensiveTechniqueNode;
          class Authentication ArtifactNode;
          click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
          | analyzes | Authorization["Authorization"];

          
          class SessionDurationAnalysis DefensiveTechniqueNode;
          class Authorization ArtifactNode;
          click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis";                       SessionTermination["Session Termination"] -->
          | deletes | NetworkSession["Network Session"];

          SessionTermination["Session Termination"] -.->
            | May Evict | T1133["External Remote Services"] ;
          class SessionTermination DefensiveTechniqueNode;
          class NetworkSession ArtifactNode;
          click SessionTermination href "/technique/d3f:SessionTermination"; AuthenticationEventThresholding["Authentication Event Thresholding"] -->
          | analyzes | Authentication["Authentication"];

          AuthenticationEventThresholding["Authentication Event Thresholding"] -.->
            | May Detect | T1133["External Remote Services"] ;
          class AuthenticationEventThresholding DefensiveTechniqueNode;
          class Authentication ArtifactNode;
          click AuthenticationEventThresholding href "/technique/d3f:AuthenticationEventThresholding"; AuthorizationEventThresholding["Authorization Event Thresholding"] -->
          | analyzes | Authorization["Authorization"];

          AuthorizationEventThresholding["Authorization Event Thresholding"] -.->
            | May Detect | T1133["External Remote Services"] ;
          class AuthorizationEventThresholding DefensiveTechniqueNode;
          class Authorization ArtifactNode;
          click AuthorizationEventThresholding href "/technique/d3f:AuthorizationEventThresholding"; JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -->
          | analyzes | Authorization["Authorization"];

          JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -.->
            | May Detect | T1133["External Remote Services"] ;
          class JobFunctionAccessPatternAnalysis DefensiveTechniqueNode;
          class Authorization ArtifactNode;
          click JobFunctionAccessPatternAnalysis href "/technique/d3f:JobFunctionAccessPatternAnalysis";                                                     ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
          | analyzes | Authentication["Authentication"];

          ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -.->
            | May Detect | T1133["External Remote Services"] ;
          class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
          class Authentication ArtifactNode;
          click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
          | analyzes | Authorization["Authorization"];

          
          class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
          class Authorization ArtifactNode;
          click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis";

json